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1 . Introduction 

This document is a user guide for issuing LCMS Administrator Cards, User IDs/passwords and system user 
certificates to access the Arterium application. It describes how to perform the steps for each of the roles 
involved in establishing access control for the LCMS system. 

1.1 Target Audience 

This document is intended for anyone within Citibank who has a role in the LCMS Access Control Process 
for the Sun Java™Badge project. There are instructions for each role in the end-to-end process. These roles 
include: 

■ Program Administrator 

■ Program Fulfillment 

■ Business Manager 

■ Arterium Security Administrator 

■ LDAP Operator 

■ RA Administrator 

• System User Administrator 

■ LCMS Admin Card Initializer 

■ Issuing Workstation Operator 

A separate document for Sun Microsystems employees explains the roles they play. 

1.2 Document Replacement 

This document combines and updates the information that used to be provided in the following documents: 




1.3 Additional references 
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1.4 Utilities required 

The following software utilities are required in order to execute the various steps described in this 
document: 

PIN Generation Utility (Netscape CMS) 
LDIF Utility (ET created) 

■ CDL Utility (ET created) 

■ CertCheck.pl (ET created) 

■ PGP 

■ Perl 



1.5 Open Issues 

■ Need to write and document the CertCheck.pl script 

■ Update Admin Card Issuing and Initialization workstation software to Gold 2.0 SP1 when it is 
available for general release 
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2 Access Control Overview 

2.1 Overview 

There are two ways to access the LCMS. One is with a User ID and password via a one-way SSL 
connection. The other is with a client based PKI certificate via a two-way SSL connection. The one-way 
SSL connection is for those users with read only access to the LCMS. Examples of these types of users are 
Customer Help Desk or Customer Service Representative employees. The two-way SSL connection is for 
users or systems that have write access to the LCMS. Examples of these types of users are customer 
Security officers or badging systems. Individual user client certificates are stored on an LCMS 
Administrator Smart card issued by Citibank. "System user" client certificates are stored on the system's 
hard drive or HSM, depending on what the system will support. 

In order to be granted access to the LCMS, the user's Program Administrator must submit an access request 
to the Citibank LCMS Business Manager for review and approval. Once the request is approved, it is 
passed to the Arterium Security Administrator and other LCMS system operators for processing. 



2.2 System Architecture 

CSRs or Help Desk Representatives within Sun establish a one-way SSL connection to the LCMS through 
port 7001. Those with client certificates establish a two-way SSL connection to the LCMS through port 
443. There is also access to the Citibank LCMS Registration Authority via port 8 144 to request and retrieve 
new client certificates. No access is allowed through the standard HTTP port 80. This process is explained 
further throughout this document. The following diagram shows the different types of access to the LCMS: 
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7001 
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PASSWORD: 



1 way SSL 128 bits 



2-way SSL 128 bits 



READ / WRITE 



Citigroup Confidential, Copyright © (2001) by e-Citi, Citigroup 



This architecture assumes the Netscape CMS and iPlanet Directory Server will be utilized to provide the 
certificate based access control to the LCMS. If another CMS or LDAP platform will be used, the specific 
processes may have to be modified. 

2.2.1 Access Control with User lb/Password 

2.2.1.1 Guest clients 

Access thru known port 80 (http) is not allowed. 

2.2.1.2 Clients accessing with a password 

Clients accessing the LCMS with read only privilege are required to be issued a "User 

ID/ password" access. 

Protocol 

The protocol is one-way SSL and does not require client authentication. 
URL 

The connection is established with the LCMS on a specific URL and the port number 
7001 



https://cardmanagement.citibank.com:7002/arterium 

ROLES WITH THIS ACCESS 

■ hostingAdminOfficer- LCMS Hosting administrators who require access to 
upload files to the LCMS 

■ sunHelpDeskOfficer- Sun Resolution Center users, or others who require read- 
only access to the system 
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2.2.2 Access Control with a Certificate 

2.2.2.1 Certificate request for System Users 

Clients accessing LCMS for certificate issuance and download have access via https 

using port 8144. 

Protocol 

The protocol is one-way SSL so it does not requires client authentication. The process for 

certificate issuance ensures that certificates are issued only to trusted entities. 

URL 

The connection is established with the LCMS on a specific URL and the port number 
8144 

https://cardmanagement.citibank.com8 144/arterium 

2.2.2.2 Clients accessing with a certificate 

Clients accessing LCMS with read/write privilege on the database must have a certificate 

issued by the LCMS's Certificate Authority. 

Protocol 

The protocol is two-way SSL so it requires client authentication. 
URL 

The connection is established with the LCMS on a specific URL and the port number 443 
https://cardmanagement.citibank.com/arterium 

ROLES WITH THIS ACCESS 

■ citiAdminOfficer - Citibank users who require write access to the LCMS 
System. 

■ sunAdminOfficer - Sun Badging Officers 

■ Vendor - Vendors who require access to upload files to the LCMS 

■ activCardServer - System user account for Sun JavaBadge Portal or ACMS. 
This server requires read/write XML access to the LCMS 

■ badgingStation - System user account for the Sun Badging station. This system 
requires read/write XML access to the LCMS 



2.3 Roles and Responsibilities 

The following gives a brief overview of the roles and responsibilities involved with requesting, granting 
and using access to the LCMS. Each of these roles and responsibilities is described in greater detail 
throughout this document. 

2.3.1 Overview 

There are many roles in the LCMS Access Request Process. These roles are dispersed across the Citibank 
organization, and at times multiple organizations will require the same role. The following is a list of the 
LCMS Access Request process roles by the Citibank organization that fills each role. A more detailed 
description of the role in each of the access request process scenarios follows this overview. 

LCMS Hosting, Citibank Vendor (i.e. Schlumberger), and Arterium Program Administration (i.e. 
eConsumer Emerging Technologies, eBusiness eSolutions) 

■ Program Administrator 

■ Program Fulfillment 

■ New LCMS Admin 

■ New UID/Password User 
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eBusiness eSoIutions: 

■ Business Manager 

LCMS Hosting: 

■ Arterium Security Administrator 

■ LDAP Operator 

■ RA Administrator 

■ Issuing Workstation Operator 

eConsumer Emerging Technologies: 

■ LCMS Admin Card Initializer 

The only role that most likely will not be performed by a Citibank organization is the New System User 
Admin, which is part of the System User Certificate Issuing process. This role is for remote servers that 
need to connect to Arterium via XML messaging. Sun Microsystems will have users who play this role. 

2.3.2 LCMS Administration Card Issuing Role Summary 

LCMS Admin Card issuing roles fall into four groups that either issue the cards or rely on them. 
Card Initialization 

• LCMS Admin Card Initializer: A one-time preparatory role. Cards are initialized and card data is 
captured. Cards and data are sent to the Issuing Workstation Operator 

Relying Organization(s) 

The Program Administrator and Fulfillment roles are specified separately to increase the security of the 
overall process. However, it is up to the Relying Organization to decide whether these roles are staffed 
separately or not. There may be multiple Relying Organizations, including, but not limited to, Citibank, 
Citibank customers, and vendors to Citibank. 

• Program Administrator: Overall administrator of LCMS admin cards and administrators for a relying 
organization. Issues request for new admin cards, and receives confirming notification of issued cards 
and card data. 

• Program Fulfillment: Fulfillment officer at relying organization. Receives cards and distributes 
appropriately. Separation of duties from Program Administrator provides increased security for cards 
and sensitive data. 

• New LCMS Admin: New user of LCMS admin card. Roles and responsibilities are not covered in this 
document. Please see appropriate documentation issued by the relying organization. 

Business Management 

• Business Manager. Role with ultimate responsibility for and approval of requests for new LCMS 
Administrator Cards. 

Card Personalization 

The following roles are assumed to be located at the same site and that internal security mechanisms will be 
used appropriately in the internal transmission and delivery of data and cards. 

• Arterium Security Administrator: Administrator of the card issuing process preformed at the issuing 
site. Receives and logs requests for new admin cards, confirms proper number of cards were initialized 
and certificates were generated, and sends notification / card data to admin card requestor. May 
generate reports or other MIS to support Business Management of LCMS administration and access. 

• LDAP Operator: Processes and updates new admin card data file and creates special web accounts for 
processing pre-authorized certificate requests. 

• Issuing Workstation Operator: Inventories cards. Accesses web accounts, generating keys and 
downloading certificates to the cards. Updates admin card data file. Separation of roles from LDAP 
Operator provides increased security for card personalization. 
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2.3.3 UID/Password Issuing Role Summary 

User ID/Password issuing roles fall into three groups that either issue the UID/passwords or rely on them. 
Relying Organization(s) 

There may be multiple Relying Organizations, including, but not limited to, Citibank, Citibank customers, 
and vendors to Citibank. 

• Program Administrator: Overall administrator of UID/passwords and users for a relying organization. 
Issues request for new UID/password accounts, and receives confirming information with 
UID/password data. 

• New UID/password User: New user of LCMS UID/password. Roles and responsibilities are not 
covered in this document. Please see appropriate documentation issued by the relying organization. 

Business Management 

• Business Manager. Role with ultimate responsibility for and approval of requests for new LCMS 
UID/passwords. 

UID/Password Creation 

The following roles are assumed to be located at the same site and that internal security mechanisms will be 
used appropriately in the internal transmission and delivery of account data 

• Arterium Security Administrator: Administrator of UID/password issuing process performed at issuing 
site. Receives and logs requests for new accounts, confirms proper number of accounts were generated, 
and sends notification / account data to account requestor. May generate reports or other MIS to 
support Business Management of LCMS administration and access. 

• LDAP Operator: Processes and updates account data file. 

2.3.4 System User Certificate Issuing Role Summary 

System user certificate issuing roles fall into three groups that either issue certificates or rely on them. 
Relying Organization(s) 

There may be multiple Relying Organizations, including, but not limited to, Citibank, Citibank customers, 
and vendors to Citibank. 

• Program Administrator: Overall administrator of LCMS system user certificates and for a relying 
organization. Issues request for new system user certificates, and receives confirming notification of 
issued certificates. 

• New System User Admin: New user of LCMS system user certificates. Roles and responsibilities are 
not covered in this document. Please see appropriate documentation issued by the relying 
organization. 

Business Management 

• Business Manager. Role with ultimate responsibility for and approval of requests for new LCMS 
System user certificates. 

System User Certificate Generation 

The following roles are assumed to be located at the same site and that internal security mechanisms will be 
used appropriately in the internal transmission and delivery of certificate data. 

• Arterium Security Administrator: Administrator of system user certificate issuing process performed at 
issuing site. Receives and logs requests for new system user certificates, confirms proper number 
system accounts were generated, and sends notification of activated accounts to system user account 
requestor. May generate reports or other MIS to support Business Management of LCMS 
administration and access. 

• LDAP Operator: Processes and updates system user account data file, creates special web accounts for 
processing pre-authorized certificate requests. 
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• Registration Authority (RA) Administrator: Approves new certificate requests for CMS by comparing 
request to approved system account list. This role may be played by the Arterium Security 
Administrator. 
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3 LCMS Administration Card Issuing Process 

The following diagram shows the overall process for LCMS Administration Card Issuance. 
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Each of the steps and the utilities and programs required to complete the steps are described in the 
following pages. Here is a summary of the steps and the sections in which they are described: 

1. LCMS Administrator Card Initialization (Steps P1-P3) - Section 3.1 

2. LCMS Administrator Card Receipt and Storage (Steps P4-P6) - Section 3.2 

3. Account Request and Approval (Steps 1-3) - Section 3.3 

4. Account Request File Processing (Steps 4-7) - Section 3.4 

5. LCMS Administrator Card Personalization (Steps 8-9) - Section 3.5 

6. LCMS Administrator Card Confirmation and Delivery (Steps 10-13) - Section 3.6 

7. LCMS Administrator Card Fulfillment (Steps 14-17) - Section 3.7 
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3.1 LCAAS Administrator Card Initialization (P1-P3) 

3.1.1 Overview 

The card initialization process sets the initial PIN on the card and prepares the cards to have PKI 
certificates loaded. LCMS Administration Cards are based on the Schlumberger Cryptoflex 8K card 
platform. The person performing this process uses the ActivCard Gold client software along with the Card 
Data List Utility described below to complete the card initialization. 

3.1.2 Step-by-Step Process 

The process should be conducted by both a "maker" and "checker" role. Please refer to ActivCard Gold 
documentation for more information about using and installing ActivCard Gold. For more information on 
the Card Data List Utility, refer to section 3. 1.3. 

1. The "Maker" should start the CDL utility by selecting "Start\Program\CardDataList\CardDataList." 
The first time the CDL utility is run it will ask for a workstation ID. Select any two alphanumerical 
characters to identify the workstation, possibly your initials. 

2. A screen will be displayed with a randomly generated numeric PIN and two text fields. The text fields 
are "Unlock Code" and "Card Number". 

3. Insert an un-initialized Admin card into the card reader. 

4. Start the ActivCard Gold Utilities (Gold) by double clicking the smart card reader icon in the lower left 
corner of the Desktop. 

5. Proceed with card initialization. Transfer the Card PIN from the CDL utility to Gold by typing or 
copy-and-paste into Gold 

6. Exit and restart Gold. 

7. Enter the Card PIN previously used. 

8. The Unlock Code screen is displayed. Transfer the Unlock Code from the "Unlock Code" field in the 
CDL utility by typing or copy-and-paste into Gold. 

9. Close the Unlock Code screen in Gold. 

10. Select "Tools" then "View Settings" in Gold. 

11. Transfer the Serial Number from the "Card Number" field in the CDL utility by typing or copy-and- 
paste into Gold 

12. Click "Save" button on the CDL utility. A new PIN is displayed and the fields are cleared, ready for 
the next card. 

13. Repeat the above steps for as many cards as you need to initialize. 

14. To exit from the CDL utility click the close ("X") button in the upper left corner of the utility screen. 

15. Exit the ActivCard Gold Utilities. 

16. Every time the CDL utility is run it creates a new data file. The file is located in the "c:\CDL Files" 
directory and its name is "CDLyy###.txt". Where: 

• yy is the workstation ID created when CDL utility was run for the very first time, 
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• ### is a sequential number incremented every time the utility is run. 

17. The "Checker" should verify the data captured in the Card Data List. Select a card and note its ID 
(printed on the back). Find the associated entry for that card in the CDL. 

18. Insert the card into the card reader. Start the ActivCard Gold Utilities (Gold) by double clicking the 
smart card reader icon in the lower left corner of the Desktop. 

19. Enter the PIN listed in the CDL. The Unlock Code screen is displayed. 

20. Compare the Unlock Code listed in the CDL with the one displayed. They should be the same. It is 
VERY important to ensure these codes match. 

21. Click on "Disable Unlock Code display". This will prevent the Unlock Code from ever being displayed 
again. Close the screen. 

22. Exit the ActivCard Gold Utilities 

23. Send the initialized cards to the Arterium Security Administrator. 

24. Send the associated Card Data List via signed and encrypted e-mail to the Arterium Security 
Administrator 

A log file are maintained for auditing purposes. The log file name is "CDLyyLog.txt", where yy is the 
workstation ID created when CDL utility was run for the first time. The log file is stored in two locations. 
One is in the "c:\CDL Files" directory and another is located in the "d:\CDL Backup Files" directory. 



3.1.3 Card Data List Utility 

The Card Data List (CDL) utility is used to capture the initialization data for LCMS administration cards 
initialized with ActivCard Gold 1.2. The CDL utility runs on a PC workstation and is used in conjunction 
with Gold in a process that initializes LCMS Admin cards and captures selected initialization data by 
cutting and pasting. 

3.1.3.1 System Requirements 

The following are the hardware, software and networking requirements for the system on which the 
card initialization will be performed. 

a) Hardware 

i) Pentium II or III class PC. 

ii) 64 MB RAM minimum. 
Hi) Two hard disk drives. 

iv) 100 MB available space on hard drive "C:". 

v) 5 MB available space on hard drive "D:". 

vi) Standard peripherals: display, keyboard, etc. 

vii) Serial and parallel ports. 

viii) ActivCard Gold PCSC compliant serial port card reader. 

ix) Ethernet adapter. 

b) Software 

i) NT 4.0 with SP 4.0 

ii) ActivCard Gold 1.2 C2. 

iii) Email client with Pretty Good Protection (PGP). 
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iv) CCAT CDL Utility, 
c) Communications 

i) LAN connection for: 

ii) Internet email. 

3.1.3.2 Card Data List Utility Description 

The Card Data List (CDL) utility is used to capture the initialization data for LCMS administration 
cards initialized with ActivCard Gold 1.2. It performs the following functions: 



i) Generates CDL 

(1) Created in same folder with CDL util. 

(2) Unique name every time a new CDL is created. 

(3) CDL contains multiple card init data records, 
(a) One record per card. 

(i) Each record has multiple fields. 

(ii) Each field has a name part and a data part 

(iii) Fields: 

1. PIN: randomly generated by CDL util, numeric characters, length of four. 

2. Unlock code: pasted by operator. 

a. Length should be checked. Notify operator if not correct. 

b. Checked against previous to insure new paste. Notify operator if 
correct. 

3. Card number: pasted by operator. 

a. Length should be checked. Notify operator if not correct. 

4. Name (of cardholder): pasted by operator of Issuing Workstation (at eCiti 
Hosting) 

ii) Generates log file 

(1) Single log file created in same folder with CDL util. 

(2) Backup maintained in a separate folder. 

(a) Folder location should be settable by some TBD mechanism. 

(3) Data from each CDL record is logged, 
(a) Date and time added to each record. 

iii) Operates interactively 

(1) Creates new CDL at startup. 

(2) GUI for accepting record data. 

(3) Does field checks. 

(4) Writes to CDL and log upon command (i.e. button) by operator. 

(5) Exits upon command from operator. 



3.1.3.3 Installing the CDL Utility 

1. Install ActivCard Gold 1.2 and the card reader according to vendor instructions. 

2. From the CDL Utility distribution media, run setup.exe". Follow the prompts to install the 
CDL utility. It will be installed under "Program Files" directory in the "CardDataList" 
subdirectory 

3.1.3.4 Card Data List Utility Un-installation 

From "Control Panel" select "Add/Remove Program" and then select "CardDataList". 
Follow prompts to remove CDL utility from computer. 

Note: The "c:\CDL Files" and "d:\CDL Backup Files" are not removed by uninstall process. 
You have to remove those directories and/or files in those directories manually if needed. 
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3.1.3.5 Building the COL Utility 

Visual Studio 6.0 and Visual Basic 6.0 are required to build CDL Distribution Pack. The 
following steps need to be preformed: 

1. Select "Start" and "Programs" and "Microsoft Visual Studio 6.0" and "Microsoft Visual 

Studio 6.0 Tools" and "Package and Deployment Wizard" 

2. Start "Package and Deployment Wizard" 

3. Select project "C:\CardDataList\CardDataList.vbp" 

4. Click on "Package" button 

5. Select Package type to be "Standard Setup Package". 

6. Click "Next", "Next", "Yes", and "Next". 

7. Add "Citi'gif * and "pin.mdb" files in included files list. 

8. Click "Next". 

9. Select "Single CAB" 

10. Click "Next" a few times until you will see "Finish". 

11. Click "Finish". 

12. Click "Save Report" and "Close" 

13. Click "Close" one more time. 

14. The Distribution CD is in the "c:\CardDataList\Package" directory. The distribution files 
are "Setup.exe\ Setup.lst", and "CDL.cab". 

3.2 LCMS Administrator Card Receipt and Storage (Steps P4-P6) 

3.2.1 Overview 

The Arterium Security Administrator receives the LCMS Administration Cards and associated Card Data 
List. The administrator should notify the Issuing Workstation Operator of the receipt of the cards, and 
document log the receipt of the cards for change control purposes. It is then the responsibility of the Issuing 
Workstation Operator track the inventory of cards and securely store the information until new cards need 
to be personalized. 

3.2.2 Step-by-Step Process 

1. The Arterium Security Administrator receives the Card Data List via signed and encyrpted e-mail from 
the Card Initializer. 

2. The Arterium Security Administrator receives the initialized LCMS Admin Cards via shipment 

3. Verify the CDL information matches the card shipment by verifying it has the correct number and IDs 
of the cards. 
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4. Log the receipt of the cards and notify the Card Initializer the information is correct 

5. Send the CDL to the Issuing Workstation Operator via signed and encrypted e-mail and send the cards 
in a separate package. 

6. The Issuing Workstation Operator should store the CDL and initialized LCMS Admin Cards securely 
until ready for use 

7. The Arterium Security Administrator should track to make sure the number of LCMS Admin Card 
requests coming in does not exceed the inventory of cards available. As the inventory depletes, notify 
the Card Initializer that more cards are required. 



3.3 Account Request and Approval (Steps 1-3) 

3.3.1 Overview 

The Program Administrator is responsible for issuing new account requests. These requests can be for new 
LCMS Admin Card accounts, UID/Password accounts, or System User accounts. The Program 
Administrator gathers the required account request data and submits the Account Request file via secure e- 
mail to the Citibank Business Manager. The Business Manager is responsible for reviewing and approving 
the access request. The Business Manager then sends the approved request via secure e-mail to the 
Arterium Security Administrator for processing. 

3.3.2 Step-by-Step Process 

1. The Program Administrator generates the Account Request File and sends to the Citibank Business 
Manager using signed and encrypted e-mail. 

2. The Business Manager should reviewed the ARF for the following items: 

Determine if the requested access is approved 
■ Determine if the ARF is complete and in the correct format 

3. The Business Manager should inform the Program Administrator should be informed of any mistakes 
and the Program Administrator should correct and re-submit the ARF if necessary. 

4. If the format is correct and the Business Manager deems the request to be acceptable the ARF should 
be sent via signed and encrypted e-mail the Arterium Security Administrator. 



3.3.3 Account Request File Requirements 

The ARF is used for LCMS Admin Card requests, UID/password requests, and system user requests. These 
requests can either be to add or delete an account. The ARF should only be sent using encrypted and signed 
e-mail. 

LCMS Account Request File Requirements 



Text file(s) should be submitted with the following format: 
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a(add)/d(delete);first name;Iast name;userid;e-mail address;role 
a(add)/d(delete);first name;last name;userid;e-mail address;role 
a(add)/d(delete);firstname;last name;userid;e-mail address;role 

For example: 

a;joe;smith;jsmithl;joe.smith@company.com;sunHelpDeskOfficer 
a;kimJones;;kim jones@company.com;sunAdminOfficer 
a;tom;wilson;tom wilson;torn.wilson@cornpany.com;sunAdrninOfficer 
ajoe k.;smith;jsmith2;joe.k.srnith@cornpany.com;sunHelpDeskOfficer 
a;sunserver.sun.com;;;administrator@sun.com;activCardServer 

NOTE: Separate files should be created for "adds" vs. "deletes" due to security risks in processing account 
deletions in a timely manner. 

Notes about format/content of data 



■ All information except the role name is not case sensitive 

■ Specify an "a" at the beginning of the record for an add, and a "d" for a delete. If records should be 
modified, first specify that the record be deleted, and then specify an add record with the updated 
information 

■ The roles are either sunAdminOfficer, sunHelpDeskOfficer, citiAdminOfficer, Vendor, 
hostingAdminOfficer, activCardServer or badgingStation. These role names are case sensitive. 

For those with the sunAdminOfficer, citiAdminOfficer, Vendor activCardServer and badgingStation 
role the UserlD field should be left blank. For example: 

a;Joe;Smith;;joe.smith@company.com;sunAdminOfficer 

This role does not have to enter the user ID because it is automatically stored on the Admin card and 
generated based on a combination of the first and last name. 

■ For those with the sunHelpDeskOfficer or hostingAdminOfficer role, the UserlD field can be 
populated with the desired login ID. There are no character limitations to this field, but it must be 
unique across all users. If this field is left blank, then by default the user will be assigned a UserlD that 
is equal to their Common name, or the combination of their first and last name. For example: 

a;Joe;Smith;jsmithl;joe.smith@company.com;sunHelpDeskOfficer - Joe's login ID would be jsmithl 
a;Joe;Smith;;joe.smith@company.com;sunHelpDeskOfficer - Joe's login ID would be Joe Smith 
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■ Across ALL users (regardless of role), the Common name, or the combination of their first and last 
name, MUST be unique. If there is more than one user with the same first and last name, add an initial 
or a unique character to the first name field to distinguish the names apart. For example: 

a;Joe;Smith;;joe.smith@company.com;sunAdminOfficer 
a;Joe W.;Smith;;joewsmith@company.com;sunAdminOfficer 

■ For System users, the First Name field should be used to specify the System hostname. The Last name 
field should be left blank. The e-mail address should be the e-mail address of the server system 
administrator. The role for the Sun ACMS and Portal is " activCardServer". The role for the Sun 
Badging Station is "badgingStation". For example: 

a;sunserver.sun.com;;;administrator@sun.com;activCardServer 

■ The e-mail address provided for those users getting an LCMS Admin Card or System User certificate 
will be the e-mail address to which the certificate renewal notification is sent when the certificate 
expires. It is important to use an active e-mail address so that the proper user will receive and act on 
the renewal notice. 



3.4 Account Request File Processing (Steps 4-7) 

3.4.1 Overview 

The Arterium Security Administrator is not responsible for approving access requests to Arterium. This 
responsibility lies with the Business Manager. Once the Arterium Security Administrator receives the 
signed and encrypted ARF from the Business Manager, this means the requests have been approved and are 
ready for processing. The Arterium Security Administrator should review and log the account requests, and 
then send the reviewed file to the LDAP Operator for import into the Arterium LDAP directory. 

The ARF is an abbreviated form of an LDIF file. The ARF must be converted to a full LDIF file before it 
can be imported into the LDAP system, to create accounts for pre-authorized users. The LDIF File 
Generator utility is used to create the full LDIF file. In addition the LDIF File Generator will produce a 
second file, the one-time-use PIN Creation List (PCL). This one-time-use PIN is required to perform the 
download of the approved certificate. 

The LDIF file created by the LDIF File Generator utility must be imported into the LDAP to create the 
accounts for pre-authorized users. 

3.4.2 Step-by-Step Process 

1. The Arterium receives the approved Account Request File via signed and encrypted e-mail from the 
Citibank Business Manager 

2. The request should be logged for a later check on the number of accounts issued. 

3. Although the Business Manager should have already examined the ARF for correct formatting, verify 
the ARF is properly formatted. 
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4. For those request for UID/password based accounts (sunHelpDeskOfficer, hostingAdminOfficer), 
amend each account request with a password. Choose a password that complies with Citibank security 
policies (at least 8 characters, must contain upper and lower case alpha and a numeric character). 

For example, if the entry says this: 

A; Fred; Pinn; FredAPinn; f red .pinn@sun . com; SunHelpDeskOfficer 
Append the entry to read like this: 

A; Fred; Pinn; FredAPinn; f red .pinn@sun . com; SunHelpDeskOfficer; He lpde ski 
Where "Helpdeskl" is the password for that account. 

5. For all other roles, amend the entry with the password "citibank". For these roles, this password will 
not be used for user authentication to Arterium but is a required field in order to complete the access 
request process. 

6. Send the reviewed and updated ARF to the LDAP Operator via signed and encrypted e-mail for further 
processing. 

7. The LDAP Operator receives the ARF via signed and encrypted e-mail from Arterium Security 
Administrator. 

8. Run the LDIF File Generator Utility, using the ARF as the Input file. Place the ARF file(s) in the same 
directory (on LDAP machine) as the Perl script and execute the following command: 

perl Ascii2Ldif.pl <input file> <organization> 

The first parameter, <input file> is the name of the ARF containing the semicolon-delimited data. The 
second parameter <organization> is the organizational name. If not supplied, then it defaults to 
'Citibank'. 

9. Compare the .LOG file to the ARF to verify the correct number of accounts have been added, deleted 
or modified and view the LDAP directory entries to make sure the correct actions were actually taken. 

10. View the REMAINDER file to see if there are any simple format errors in the records that can be 
corrected and re-run. If so, make the corrections to those records and run these corrected records 
through the LDIF File Generator Utility, using the corrected records as the Input file 

11. If there are errors for duplicate names, incomplete information, etc. pass these records back to the 
Arterium Security Administrator for follow-up. 

12. Import the LDIF file into the LDAP directory using the Directory Server Console. 

13. Run the PIN Creation List (PCL) file through the Netscape PIN Generation Utility. To do this, execute 
the following command at the command prompt: 

setpin host =<hostname> . com port=3 89 "binddn=CN=Directory Manager" 
bindpw=DMpasswd " f ilter= {uid=* ) " basedn=o=CDCLA, c=US input = input file 
output =/tmp/pin . log write 

14. Send the output file of the PIN Generation Utility via signed and encrypted e-mail to the Issuing 
Workstation Operator. This output file is also called the Certificate Account List (CAL) 
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3 A3 LDIF File Generator Utility 

This utility converts semicolon delimitated files into LDIF files. LDIF files are used to update the LDAP. 
The utility is actually a Perl script that requires the Perl interpreter in order to run. 



3.4.4 LDIF File Generator Utility Installation 

3.4.4.1 Supported Platforms 

Windows 95, Windows 98, Windows NT, Solaris, Linux are all supported, as long as 
there is a Perl interpreter available for the platform. 



3.4.4.2 Perl Installation 

Perl is assumed to be installed on the platform. If not, and there is a need for Perl, the 
user can obtain Perl from http://www.activeperl.com The download is free and the 
Windows, Solaris and Linux platforms are supported. Follow the directions on the site to 
install the Perl package. This Perl script has been tested using version 5.6.0.623. 



3.4.4.3 Script Installation 

The script is installed by simply copying the script to the directory that holds the ASCII 
delimitated input files. The Perl script file name is "Ascii2Ldif.pl". 

3.4.5 LDIF File Generator Utility Operation 

3.4.5.1 Input File Syntax 

The Input file is a collection of semicolon delimitated records containing user 
information. The general form of the Input records are: 

<action>; <GivenName> ; <SurName>; <UserId>; <EmailAddress> ,- <Rol 
e> ; <Password> 
or an empty line. 

3.4.5.1.1 Add Record 

The syntax for the Add record is as follows 

a;<Given Name>;<Sir Name>,-<User Id>;<Email Address >; <Role> 

or 

a;<Server Name > ; ; <Server Name > ; < Ema i 1 Address> ; <Role> 

or 

a;<Given Name>;<Sir Name>;<User Id>;<Email Address> ; <Role> ; <Password> 



Where: 

'a' is the action, Add Record. 

<Given Name> is the first name of user. 

<Sir Name> is the family name of the user. 

<User ld> is the user's login name. If this field is omitted and the role is 

'sunAdminOfficer', 'citiAdminOfficer', 'Vendor', 'activCardServer', 
or 'badgingStation', then it is produced from the Given Name and Sir 
Name concatenated with a space. 'Jane 5 and 'Doe' would produce 
'Jane Doe' as a user. 

<Email Address> is the Email Address of the user. This field is mandatory. 

<Role> is the Role of the user. It may be one of the following: 

'sunHelpDeskOfficer', 'sunAdminOfficer', 'citiAdminOfficer', 
'hostingAdminOfficer', 'Vendor', 'activCardServer', or 
'badgingStation'. These values are not case sensitive in the input file, 



CITIGROUP CONFIDENTIAL 
V 1.4 
Page 23 of 71 



EXPRESS MAIL NO. gVSfflgsggo ig 

cm 

but are in the resulting LDIF file. The script will convert these values 
properly. 

<Password> is the password associated with the user's user id. If the password is 

not supplied, then for roles 'hostingAdminOfficer* and 
'sunHelpDeskOfficer' the password will be randomly generated. For 
roles, 'sunAdminOfficer', 'citiAdminOfficer', 'Vendor', 
4 activCard Server', or 'badgingStation', the password 'citibank' will be 
the default. 

3.4.5.1.2 Delete Record 

The syntax for the Delete record is the same as the Add record except that the action (the first field) is 
always 'd\ for delete. The only two fields needed for delete is the action ('d') and the user id. Trailing 
semicolons may be omitted. 

d; ; ; <User Id> ; ; ; 

3.4.5.1.3 Modify Record 

The syntax for the Modify record is the same as the Add record except that the action (the first field) is 
always 'm\ for modify. The only mandatory fields for modify are the action ('m') and the user id. 
Trailing semicolons may be omitted. 

m; <GivenName> ; <SurName> ; <UserId> ; <EmailAddress> ; <Role> ; <Password> 

Please remember, only the action (m) the user id and any fields to be changed are entered. 

Example J) 

m; ; ;KarenPinn;KPinn@csi . com; 
Changes user KarenPinn's email address only. 

Example 2) 

m ; ; ;FredAPinn; SunAdminOfficer ; tOPsECREt 
Changes user FredAPinn's role and password. 

3.4.5.2 Roles 
Following are the accepted roles: 

• citiAdminOfficer 

• hostingAdminOfficer 

• sunHelpDeskOfficer 

• sunAdminOfficer 

• Vendor 

• activCardServer 

• badgingStation 

PLEASE NOTE: The roles are case sensitive in the LDIF file but are not case sensitive in the INPUT file. 

3.4.5.3 Running Ascii2Ldif.pl 

At the command prompt type: 

perl Ascii2Ldif pi <input file> <organization> 
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The first parameter, <input file> is the name of the file containing the semicolon delimitated data. 
The second parameter <organization> is the organizational name. If not supplied, then it defaults to 
Citibank. 

Any errors encountered in parsing the input file are displayed on the screen. After all records are processed, 
statistics are displayed for how many records have been added, modified, deleted or rejected. 

Example: 

>perl ascii2ldif.pl Userlnfo 

a /Karen; Pinn; KarenPirm; KarenPinn@csi . com; sunAdminOf f icer 

ERROR: Common name 'Karen Pinn' has already been added. 

a; Karen; Zinn; KarenPinn;KarenPinn@csi .com; sunAdminOf f icer 

ERROR: UID ' KarenPinn ' has already been added. 

a ; Max ; Pinn ; ; MaxOpets . com; f unAdminOf f icer 

ERROR: Role f unAdminOf f icer not defined. 

A; Elton; Lin; ; el ton. lin@citicorp . com; SunHelpDeskOf f icer 

ERROR: UID is not specified. 

m; ; ; FredAPinn; ; ZunAdminOf f icer 

ERROR: Role ZunAdminOf f icer not defined 

v; ;Blah 

ERROR: Action 'V must be either 'a', 'm', or 'd' 



Number of records added 2 

Number of records modified 2 

Number of records deleted 1 

Number of records rejected 6 

Number of blank records 2 

Total number of records processed 13 



3.4.5.4 Files Used and Produced 

There are up to four files generated by the Ascii2Ldif.pl perl script. The LDIF file, LOG File, PIN file, and 
the REMAINDER file (only if there are errors). The INPUT file is a file with no extension. The generated 
files have the same name as the INPUT file with the extensions ".ldif \ ".log", ".pin" and ".remain". 

Given an input file called 'Userlnfo', the files 4 Userlnfo. ldif , 'UserInfo.log', ' Userlnfo.pin', and possibly 
'Userlnfo. remain 1 will be created. 

Example INPUT File containing errors: 

a; Karen; Pinn; KarenPinn; KarenPinn@csi .com; sunAdminOf f icer 
a ; Karen ; Pinn ; KarenPinn ; KarenPinn@csi .com; sunAdminOf f icer 
a; Karen ; Zinn ,- KarenPinn; KarenPinn@csi . com; sunAdminOf f icer 
a; Max; Pinn; ; Max@pets . com; f unAdminOf f icer 

A; Fred; Pinn; FredAPinn ;pinn@cdc la . com; SunHelpDeskOf f icer ; topSecret 
A; Elton ;Lin; ; el ton . lin@c it icorp . com; SunHelpDeskOf f icer 

m; ; McCarthy ; KarenPinn ;McCarthy@c si .com; 
m; ,- FredAPinn; ; ZunAdminOf f icer 
m; ; ; FredAPinn; ;SuNHelpDeskOf f icer 
v; ;Blah 

d; ; ; FredAPinn; ; 

The errors are listed in the example shown in "Running Ascii2Ldif.pl" (above). 
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3.4.5.4.1 LDIF File 

The LDIF File is the file that is used to update the LDAP. Once this LDIF file is generated, it then needs to 
be imported into the Directory Server (LDAP) database. 

Example of a LDIF file produced by the above INPUT file. 

dn: uid=KarenPinn, o=Citibank, c=US 

changetype : add 

objectclass : top 

objectclass : person 

objectclass : organizationalPerson 

objectclass: inetOrgPerson 

objectclass: artPerson 

cn: Karen Pinn 

givenname: Karen 

sn: Pinn 

uid: KarenPinn 

mail: KarenPinn@csi.com 

role: sunAdminOf f icer 

iphostnumber : * 

defaultpartition: sun 

userpassword : citibank 

dn: uid=FredAPinn / o=Citibank, c=US 

changetype : add 

objectclass: top 

objectclass: person 

objectclass : organizationalPerson 

objectclass: inetOrgPerson 

objectclass: artPerson 

cn: Fred Pinn 

givenname : Fred 

sn: Pinn 

uid: FredAPinn 

mail: pinn@cdcla.com 

role: sunHelpDeskOf f icer 

iphostnumber : * 

defaultpartition: sun 

userpassword: topSecret 

dn: uid=KarenPinn, o=Citibank, c=US 
changetype: modify 
replace : sn 
sn: McCarthy 

replace: mail 

mail: McCarthy@csi.com 

replace: userpassword 
userpassword: citibank 

dn: uid=FredAPinn # o=Citibank, c=US 
changetype: modify 

dn: uid=FredAPinn, o=Citibank, c=US 

changetype: modify 

replace: role 

role: sunHelpDeskOf f icer 

replace : userpassword 
userpassword: citibank 

dn: uid=FredAPinn, o=Citibank, c=US 
changetype : delete 
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3.4.5.4.2 LOG File 

The LOG file shows all processed records with any error messages associated with the conversion. Any 
records that have listed errors will not be processed and put into the LDIF file. These records will be 
placed in the REMAINDER file discussed in the following section. 

LOG File Example: 

1 ) a ; Karen ; Pinn ; KarenPinn ; KarenPinn@csi .com; sunAdminOf f icer 

2) a; Karen; Pinn; KarenPinn; KarenPinnOcsi . com; sunAdminOf f icer 
ERROR: Common name 'Karen Pinn' has already been added. 

3 ) a; Karen; 2 inn; KarenPinn; KarenPinn@csi . com; sunAdminOf f icer 
ERROR: UID 'KarenPinn' has already been added. 

4) a; Max; Pinn; ; MaxOpets . com; funAdminOff icer 
ERROR: Role funAdminOff icer not defined. 

5) <blank> 

6) A; Fred; Pinn; FredAPinn;pinn@cdcla . com; SunHelpDeskOf f icer ; topSecret 

7) A; Elton; Lin; ; el ton . 1 in@ci t icorp . com; SunHelpDeskOf f icer 
ERROR: UID is not specified. 

8) <blank> 

9) m; ; McCarthy ; KarenPinn ;McCarthy@csi . com; 

10) m; ; ;FredAPinn; ; ZunAdminOf f icer 
ERROR: Role ZunAdminOf f icer not defined 

11) m; ; ; FredAPinn; ; SuNHelpDeskOf f icer 

12) v;;Blah 

ERROR: Action 'v' must be either 'a', 'm', or 'd' 

13) d;;;FredAPinn;; 

3.4.5.4.3 REMAINDER File 

The remainder file contains the input records that could not be processed due to syntactical errors or are 
duplicate additions. These records can be edited and reprocessed as a new input file. The REMAINDER 
file has the extension remain'. 

Example from the same run as the above LOG file: 

a; Karen ; Pinn ; KarenPinn ; KarenPinnOcsi . com; sunAdminOf f icer 
a ; Karen ; Zinn ; KarenPinn ; KarenPinnOcsi . com ; sunAdminOf f icer 
a; Max; Pinn; ;Max@pets . com; funAdminOff icer 

A; Elton ;Linn ; ; el ton. lin@c it icorp . com; SunHelpDeskOf f icer 
m; ; ; FredAPinn; ; ZunAdminOf f icer 
v; ;Blah 

3.4.5.4.4 PIN Creation List (PCL) File 

The PCL file contains the domain designations of added records. 

Example PCL file using the above INPUT file: 
dn: uid=KarenPinn, o=Citibank, c=US 
dn: uid=FredAPinn, o=Citibank, c=US 

This PCL file is used as an input file for the one-time-use PIN Generation Utility. The file specifies to the 
PIN Generation Utility which of the users in the LDAP database require PINs. The use of the PIN 
Generation Utility is described below. 

3.4.5.5 Error Codes 
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Following is a list of Error Codes for Ascii2Ldif.pl 

ERROR: Action 'v« must be either 'a 1 , 'm', or 'd* 

ERROR: Common name 'Karen Pinn ' has already been added. 

ERROR: Email is not specified. 

ERROR: Role f unAdminOf f icer not defined. 

ERROR: UID 1 KarenPinn ' has already been added. 

ERROR: UID is not specified. 



3.4.6 LDAP Import 

The Directory Server Console can be used to import the LDIF file into the directory server database. For 
best performance, the server console should only be used to import an LDIF file only if the LDIF file 
contains a relatively small number of directory entries (less than 10,000). Otherwise, command-line 
utilities should be used. NOTE: since LDIF files imported via command-line will overwrite any existing 
database entries, it is not recommended. 

To import LDIF using the Directory Server Console: 

1. On the Directory Server Console select the 'Configuration' tab. 

2. From the Console menu, select 'Import'. This displays the Import Database dialog box. 

3. Enter the full path to the LDIF file in the field provided. To search for the file, click 'Browse'. 

4. Select "Append Data to Database" as the import method. When importing with this option, the 
server does not delete the contents of the directory before adding the entries from the LDIF file. 

5. Select "Continue on Errors" to allow the import to continue even if itencouters duplicates. 

6. Click OK and the server performs the import. Any rejected entries will appear in the file specified 
in the 'File for rejects' field. 



3.4.7 PIN Generation Utility 

Once the LDIF file has been imported successfully into the database, the PIN Generation Utility that is 
included with the Netscape Certificate Management System can be executed, using the .PIN file as an 
input. The PIN Utility adds a random 6-digit PIN to the LDAP entry for each user specified in the PIN file. 
The PIN Utility outputs a file (genpin.log) that lists the selected users and their respective random PINs. 
Using this list, as well as the LOG file (described above), generating/retrieving certificates from the RA 
using username/password/PIN can then proceed. 

The PIN Generator is located on the Registration Authority (RA) server at 

<server_root>/bin/cert/tools/setpin, where <server_root > is the directory where the 
CMS binaries are kept. The command line is as follows: 

/usr /net scape/ ra/bin/cer t/ tool s/setpin hos t =LDAPhos tname 
port=port n binddn=CN=Directory Manager" bindpw=password 
" f ilter= ( search_cri teria_ie_ uid=*) " 

basedn=o=organi2ation__na/ne, c=US input = file_of_DNs__ to _process 
output = outputf"ile write 
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The following command generates PINs for all entries that have the uid attribute (in their distinguished 
name) defined in an LDAP directory on a server called javabadgel . tti . com that is listening on port 
3 89 (default LDAP port). The PIN Generator binds to the directory as user Directory Manager and 
starts searching the directory from the node dn=o=CDCLA, c=US in the directory tree. The tool 
specifically searches for the DNs listed in the input file input file . Any LDAP entry that is not 
specified in input file is ignored- The tool does not overwrite existing PINs. 

setpin host= javabadgel . tti . com port=389 "binddn=CN=Directory 
Manager" bindpw=DMpasswd " f il ter= (uid=* ) " basedn=o=CDCLA, c=US 
input-inputf ile output =/ tmp/pin . log write 

This utility will generate a log file (as specified in 'output fi le ') with the following format. 

dn : <user_dn>l 

pin: <generated_pin>l 

status: <status>l 

<blank line> 

dn : <user_dn>2 

pin: <generated_pin>2 

status: <status>2 

dn : <user_dn>n 

pin: <generated_pin>n 

status: <status>n 

where <user_dn> is a distinguished name that matched the specified DN pattern (specified 
by the 'filter' option). 

< genera ted_pin> is a string of characters 

< status > is 'added* if the pin has been added, 'replaced' if the PIN has been 

replaced ('clobber* option must be specified in command line), or 
'notreplaced' if the old PIN was not replaced ('clobber ' option was not 
specified). 

The following is an example of the output file that is generated. If an input file is used, the output file will 
only display the PINs generated for the users specified in the file. 

dn :uid=SunAdminl , o=Citibank, c=US 
pin : ldg7f y 
status : added 

dn : uid=SunHelpDeskl , o=Citibank, c=US 
pin : f mZI8w 
status : added 

dn : uid= joker , o=Citibank, c=US 
pin : elrAm9 
status : added 
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3.5 LCMS Administrator Card Personalization (Step 8-9) 
3.5.1 Overview 

The personalization step includes downloading a PKI certificate for an approved user to the initialized 
LCMS Admin Card. This certificate will allow the user to login to the LCMS. The personalization step 
begins when the Certificate Account List (CAL) is sent by the LDAP Operator and contains the account 
(i.e. "dn" field) and one-time-use PIN data for accessing web-based accounts that will personalize the 
cards. This list shows the total number of cards that need to be created. 

A Card Issuing Workstation is required to personalize the LCMS Admin Cards. The Issuing Workstation 
has a smart card subsystem product installed on it, as well as the Netscape browser. The smart card 
subsystem includes software and a card reader. When the smart card subsystem is installed it also adds the 
ability for the Netscape browser to interact with smart cards. The card reader and browser are used to 
personalize the card. The Issuing Workstation Operator will personalize cards on behalf of the cardholders. 

NOTE: There are two "PINs" referenced in this section. The card PIN, listed in the CDL, is used to access 
the LCMS Admin Card. The one-time-use PIN, listed in the CAL, is used as authorization to the RA 
Website when performing the download of the certificate to a particular card. 

Using the Netscape browser and the ActivCard client software on the Issuing workstation, complete the 
process to add certificates to the required LCMS Admin cards. When the process is complete e-mail the 
Activated Card List to the Arterium Security Administrator for verification. 



3.5.2 Step-by-Step Process 

1. Receive the initialized LCMS Admin Cards and the Card Data List (CDL) via secure e-mail from the 
Arterium Security Administrator 

2. Store the cards and the CDL in a secure locked location until ready to personalize the cards 

3. Receive the Certificate Account List via secure e-mail from the LDAP Operator 

4. Review the CAL to determine how many cards need to be personalized and retrieve the appropriate 
number of LCMS Admin Cards from secure storage. Also retrieve the CDL information for those cards 

5. Make a copy of the CDL onto the Issuing Workstation. Name it "ACLmmddyy.txt", where mmddyy is 
the date. This will be the Activated Card List when it has been properly edited. 

6. Access the RA Web site from the Netscape Browser on the Issuing workstation. On an issuing 
workstation, go to https://www.cardmanagement.citibank.com:8144 . 

7. Click on 'Directory and Pin' 

8. Submit the LCMS card to be personalized into the card reader. 

9. At the enrollment page, enter the user ID, password (citibank), and PIN (from the Certificate Account 
List) the click Submit. 
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10. User will then be prompted for card pin (original issued card pin). Reference the CDL created 
previously for the card's ID number, printed on the back of the card. Type in card pin and press 
'Enter'. 

11. Once this information is submitted, a key pair is generated on the card. This key pair will not be 
usable until a valid signed certificate is imported 
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12. After the key pair is generated, the RA automatically verifies the userid, password, and PIN 

information with the information stored in the LDAP database. If the userid, password, and PIN 
match, the request is automatically approved by the RA and sent to the CA for signing 



13. The CA then sends the signed certificate back to the RA and the detailed information displayed to the 
user. At the same time, the certificate is sent to the user and automatically imported onto the card. 
When the process completes, you will see the following message: 
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14. Enter the user's User ID associated with the card into the "Name" column of the Card Data List. With 
this information the file is now called the "Activated Card List" 

15. Verify the certificate download completed correctly by viewing the card contents via the ActivCard 
Gold utilities. Follow these steps: 

■ Insert the LCMS Admin Card into card reader 

Click on ActivGold icon, which is located on the lower right tool bar on the Desktop. 

■ When prompted to enter the card pin (which is found in the CDL file), enter the pin and then click 
'OK'. 

■ If a window displaying the card's unlock code appears, click 'Close' on that window. 

The main 'ActivCard Gold Utilities' window should now be displayed. Click on the 'Certificates' 
tab. 

■ If the certificate was successfully downloaded to the admin card, it will be listed. 

■ To escape the ActivGold utility window, click 'Cancel'. 

16. Repeat the process above for each LCMS Admin Card to be created. 

17. Send the Activated Card List to the Arterium Security Administrator using signed and encrypted e- 
mail. In the body of the e-mail indicate the number of cards personalized and dates when the first card 
and last cards were personalized (if personalization took place over a number of days). This will be 
used to confirm that the correct number of certificates was issued. 
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3.5.3 ActivCard Gold Reset Utility 

If for some reason the card personalization process does not complete correctly, the card can be 
deleted and the process repeated. The ActivCard Gold 'Reset' utility allows the user to clear all 
current users and data from an LCMS Admin Card and reset it so that new users can be loaded onto 
it. (Note: In most cases, the PIN utility would have to be re-run before downloading a new 
certificate onto the card.) The following steps outline utilizing the 'Reset' utility on a card: 

L On the issuing workstation, insert the LCMS Admin Card into the card reader. 

2. Find the agreset application file located in the ProgramFiles\ActivCard\ActivCard Gold\ 
directory on the issuing workstation. 

3. Click on agreset file. 'ActivCard Gold Reset' window appears. 

4. Select the 'PIN' radio button, if it is not already selected. Enter the card's PIN (found in the 
CDLfile). Click 'Reset'. 

5. A window will appear stating 'Are you sure you want to reset card?' Click 'Yes'. 

6. Another window will appear stating 'Card successfully reset'. Click 'OK'. 

7. Click 'Close' on the main 'ActivCard Gold Reset' window. 

8. Click on ActivGold icon, which is located on the lower right tool bar on the Desktop. 

9. 'ActivCard Gold Utilities' window will appear stating 'Your card is not initialized. Do you 
want to initialize it now?' Click 'Yes'. 

10. An 'Initialize Smart Card' window now appears asking user to enter and confirm a new 
pin. Enter the PIN that was designated for that card in the Card Data List. Click 'Initialize 
Smart Card' button. 

11. 'ActivCard Gold Utilities' window will appear stating 'The Smart Card initialization was 
successfully completed.' Click 'OK'. 

12. To escape the 'ActivCard Gold Utilities' utility, click 'Cancel' on this window. 



3.5.4 Issuing Workstation System Requirements 

1) Hardware 

a) Pentium II or III class PC. 

b) 64 MB RAM minimum. 

c) 1 00 MB available hard disk space. 

d) Standard peripherals: display, keyboard, etc. 

e) Serial and parallel ports. 

f) Ethernet adapter. 

g) ActivCard Gold PCSC compliant serial port card reader. 

2) Software 

a) NT 4.0 with SP 4.0 

b) ActivCard Gold 1.2.1 

c) Netscape Communicator, ver. 4.X. 

d) Email client with Pretty Good Protection (PGP). 

3) Communications 

a) LAN connection for: 

i) LCMS CA web site access. 
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ii) eCiti Hosting's internal email. 
4) Special setup 

a) Create folder "C:\ACL Files". 
Contains Activated Card Lists. 

3.6 LCAAS Administrator Card Confirmation and Delivery (Steps 10-13) 
3.6.1 Overview 

The Arterium Security Administrator needs to perform the "checker" role of the LCMS Admin Card 
creation process. Once the Security Administrator has verified the proper number of new certificates and 
cards were created, he gives the OK to the Issuing Workstation Operator to mail the personalized LCMS 
Admin Cards to the requesting organization Program Fulfillment person. As a separate message, the 
Arterium Security Administrator sends the Activated Card List to the requesting organization Program 
Administrator. 



3.6.2 Step-by-Step Process 

1. The Arterium Security Administrator should compare the information in the Activated Card List to the 
original Account Request File to ensure the proper number of cards was created. 

2. Use the Agent Services of the Netscape CMS to list the certificates created by date. Verify the proper 
number of certificates was created. Please see the "Agent Services" page for the "Certificate Manager" 
in the "Netscape CMS Administrator's Guide" for instructions on how to list certificates by date. 

3. Upon verification, the Arterium Security Administrator gives the OK to the Issuing Workstation 
Operator to distribute the new LCMS Admin Cards 

4. The Issuing Workstation Operator sends the cards in bulk to the requesting organization Program 
Fulfillment contact. 

5. The Arterium Security Administrator sends the Activated Card List via signed and encrypted e-mail to 
the requesting organization Program Administrator. 

3.7 LCMS Administrator Card Fulfillment (Steps 14-17) 
3.7.1 Overview 

The fulfillment task for new LCMS Administrator Cards is designed for two separate roles: the Program 
Administrator and Program Fulfillment. Separating these duties ensures that no one person has both the 
physical cards, with the card PINS, before the rightful owner of the card receives it. Program Fulfillment is 
responsible for physical card distribution, and Program Administration is responsible for card PIN 
distribution and unlock code archival. 



3.7.2 Step-by-Step Process 

1. The Program Administrator receives the Activated Card List from the Arterium Security Administrator 
via signed and encrypted e-mail. 

2. The ACL data should be securely archived so that if a user ever locks their card, they can contact the 
Program Administrator to obtain the unlock code. 
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3. The Program Administrator should securely distribute the card PIN to the correct end user. 

4. Program Fulfillment will receive the shipment of new LCMS Admin Cards from the Issuing 
Workstation Operator. 

5. The new LCMS Admin Cards should be sent to the correct user once they have received their new card 
PIN. 
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4 LCMS System User Certificate Issuing Process 

The following diagram shows the overall process for LCMS System User Certificate Issuance. Each of the 
steps and the utilities and programs required to complete the steps are described in the following pages. 
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LCMS System User Certificate Issuing Sequence Diagram 
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Each of the steps and the utilities and programs required to complete the steps are described in the 
following pages. Here is a summary of the steps and the sections in which they are described: 

1. Account Request and Approval (Steps 1-3) - Section 4. 1 

2. Account Request File Processing (Steps 4-7) - Section 4.2 

3. On-Line Certificate Request (Step 8) - Section 4.3 

4. System User Certificate Approval (Steps 9-12)- Section 4.4 

5. System User Certificate Verification (Steps 13-14) Section 4.5 

6. System User Certificate Retrieval (Steps 15-16) - Section 4.6 

4.1 Account Request and Approval (Steps 1-3) 



See section 3.3 for Account Request and Approval information. 
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4.2 Account Request File Processing (Steps 4-7) 
4.2.1 Overview 

The Arterium Security Administrator is not responsible for approving access requests to Arterium. This 
responsibility lies with the Business Manager. Once the Arterium Security Administrator receives the 
signed and encrypted ARF from the Business Manager, this means the requests have been approved and are 
ready for processing. The Arterium Security Administrator should review and log the account requests, and 
then send the reviewed file to the LDAP Operator for import into the Arterium LDAP directory. 

The ARF is an abbreviated form of an LDIF file. The ARF must be converted to a full LDIF file before it 
can be imported into the LDAP system, to create accounts for pre-authorized users. The LDIF File 
Generator utility is used to create the full LDIF file. 

The LDIF file created by the LDIF File Generator utility must be imported into the LDAP to create the 
accounts for pre-authorized users. 



4.2.2 Step-by-5tep Process 

1. Follow Steps 1-12 in Section 3.4.2 

2. Separate out the system user accounts from the Account Request file. These are those with the roles 
activCardServer and badgingStation. Save this as a separate file. This file is now called the System 
Account List. 

3. Send the System Account List to the RA Administrator via signed and encrypted e-mail. 

4.3 On-Une Certificate Request (Step 8) 

4.3.1 Overview 

A system user certificate is necessary to communicate with Arterium. For example, a badging station would 
require a system user certificate. When the badging station prints a Sun Badge, the badge's status changes 
from 'Blank 1 to 'Printed'. Thus, the badging station needs a server user certificate in order to communicate 
this change to Arterium. The System User Administrator completes the process to request and download a 
"System User" certificate from Arterium 

4.3.2 System Architecture 

The following diagram shows the process for the request, approval and retrieval of a System User 
Certificate. 
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4.3.3 Stcp-by-Step Process 



NOTE: Before starting this process, make sure the JDK and JSSE are installed on the target system, and the 
security file is properly setup. See section 4.3.4 for instructions. 

1. System User Administrator creates a keystore (or another form of file-based certificate database). This 
command generates a private/public key pair within the keystore file. 

a. For Java-based keytool keystores, the command is as follows: 

keytool -genkey -v -alias clientkey -keyalg RSA -sigalg 
SHAlWithRSA -keystore <name and location of keystore file> 

b. You will be prompted for the following information: 

Enter keystore password: <pas sword for keystore file> 

What is your first and last name? 

[Unknown] : center the FQDN of the server name> fi.e. 
badgingstation.sun.com) . 

NOTE: The 'CN' (for first and last name) must be equal to the FQDN of the server that is to 
connect to the LCMS. This server name also needs to equal the name submitted with the 
account request file. 

What is the name of your organizational unit? 
[Unknown] : < leave blank> 

What is the name of your organization? 
[Unknown] : <must enter ^Citibank' > 
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What is the name of your City or Locality? 
[Unknown] : <name of City> (i.e. Menlo Park) 

What is the name of your State or Province? 
[Unknown]: <state abbreviation (i.e. CA) 

What is the two-letter country code for this unit? 
[Unknown] : US 

Is <CN=badgingstat ion. sun.com, OU=blank, 0=Citibank, L=Menlo Park, 
ST=CA, C=US> correct? 

[no] : < enter x y' if correct> 

Generating 1024 bit RSA key pair and self-signed certificate 
(SHAlWithRSA) 

for: CN=badgingst at ion. sun.com, OU=blank, 0=Citibank, L=Menlo 
Park, ST=CA, C=US 

Enter key password for clientkey 

(RETURN if same as keys tore password) : <press RETURN> 



2. Once the public/private key pair has been created, the next step is to generate a server certificate 
request (so that the certificate can be signed by a recognized Root CA). 

a. For Java-based keytool keystores, the command is as follows: 

keytool -certreq -v -alias clientkey -file <name and location 
of file containing certificate REQUEST> -keystore <name and 
location of keystore> 

b. The following will be displayed: 

Enter keystore password: <enter keystore password> 
Certification request stored in file <name and location of 
file containing certificate REQUEST> 

c. Below is a sample of the contents of the certificate request file: 
BEGIN NEW CERTIFICATE REQUEST 

MI IBqz CCARQCAQAwazELMAkGAlUEBhMCVVMxCzA JBgNVBAgTAkNBMRQwEgYDVQQHEwtMb3MgQW5n 
ZWxlczEOMAwGAlUECriMFQ0RDTEExETAPBgNV^AsTCENpdGliYW5rMRYwFAYDVQQDEwlHYW51c2gg 
UTIJhYmhlMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDanKVY/ Jt Ha8 9ATNiaO JXZluNsaHo 
Z s 6ml W+ Fblx3 4crw9 z 1 Z4V4 1 3 SD6b7V7u4UUJs wyP6NlmlNl 8XEmb3 SUMpNo j geHGCOrs j sXT J/ 1 
PZU7Lqh2szsVlWOC3YMsPBJGh3HFfvEJnP96lk30dcgCeECj a2QlEXGCUWunHvl itwIDAQABoAAw 
DQYJKoZIhvcNAQEEBQADgYEA2TekRlA5fp6TjnDQ2e/UNwIWwJroOR/ovprgwGLq3h3A3G+3ViZJ 
AzGrPxsLaq91j0k+i5gpI6novWIthAce6Y31LorKiM0hTAxnonc21NtvBCvm8066P+DE9qRQP2al 
fHwOau/hJ2gQmUj wCluGhaBcFehB/ OzBnltuKlIApx8= 
END NEW CERTIFICATE REQUEST 



3. Copy the contents of this file (including the BEGIN NEW CERTIFICATE REQUEST and - 

END new certificate REQUEST lines) to the clipboard. 



4. Launch the Netscape browser and access the Citibank Smart Access RA Certificate Enrollment form 
located at: https:/Avwwxardmanagement.citib ank.com:8144. 
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a. Select the 'SSL Server' link in the left-hand frame. 
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b. Paste the copied server certificate request into the text area under "PKCS # 1 0 Request". 

c. Enter in the Server Administrator contact information (Full name and email address). These 
pieces of information need to be as they appear in the Account Request File. 

d. Click 'Submit'. 

e. Record the Request ID number that is returned. You will need this number when retrieving 
the approved certificate. 

5. Ensure that the Program Administrator has sent an Account Request File for the new System User 
connection. 

6. In the mean time, while waiting for the certificate approval, the System User Administrator should 
import the Citibank Root CA certificate chain into the keystore file (or other file-based certificate 
database). 

a. Return to the RA page. 

b. Click on the 'Retrieval' tab. 

c. Click on the 'Import CA Certificate Chain' link. 

d. Select the option 'Display certificates in the CA certificate chain for importing individually 
into a server' and click 'Submit'. 
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A page containing the CA Certificate Chain will be displayed. Copy the entire base64 

encoded CA Certificate chain (including the BEGIN CERTIFICATE and 

END CERTIFICATE lines) and paste it into a text file on the server. 

NOTE: the java utility 'keytooP is very picky with the text files it processes. It is 
recommended that, when using a Windows/MSDOS-based PC platform, that the certificate be 
pasted into a text editor that supports UNIX-style encoding (i.e. removes the carriage return 
character tA M' from the file). An example of such a text editor isTextPad (available from 
http://www.textpad.com ). 
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f. Import the CA certificate chain into the keystore (or file-based certificate DB) using the 

respective utilities/commands. For Java-based keytool keystores, the command is as follows: 

keytool -import -v -alias citibankca -file <name/ location of 
text file containing CA cert> -keystore <name/ location of 
keystore file> 

i. Enter the password when prompted. 

ii. A screen similar to the following will be displayed: 

Owner: CN=Certif icate Manager, OU=Citibank / 0=CDCLA, L=LA, 
ST=Calif ornia, C=US 

Issuer: CN=Certif icate Manager, OU=Citibank, 0=CDCLA, L=LA, 
ST=Cal if ornia, C=US 
Serial number: 1 

Valid from: Mon Oct 16 00:00:00 PDT 2000 until: Wed Oct 16 00:00:00 
PDT 2002 

Certificate fingerprints: 

MD5: EE:DA:64:BA:81:3D:64:E6:5B:17:6D:19:69:97:0A:48 

SHA1 : 68 : F6 : 83 : 2B : 64 : AO : 44 : 14 : 9B : DD : A6 : 69 : 5D : EC : F0 : AE : AC : BF : 77 : F2 

Trust this certificate? [no] : 

iii. Type 'yes'to trust the certificate and add it to the keystore file. If successful, the 
following message will be displayed. 

Certificate was added to keystore 
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NOTE: To view the keystore file, type the following command: 

keystore -list -v -keystore <yourf ilename> 

4.3.4 System Requirements 

Before the system user certificate request and issuing process can progress, the following must be 
accomplished on the remote system. 

1. Install JDK 1.3 and JSSE on requesting server. (Software can be downloaded fromjava.sun.com) 

2. After installing JSSE, copy the three files (jcert jar, jnet.jar, jsse.jar) from the jssel.0.2\lib 
directory into the c:\jdkl.3\jre\lib\ext folder. 

3. Open the java.security file (found in c:\jdkl .3\jre\lib\security directory). Insert the following two 
lines into the file: 

security .provider . l=sun. security .provider . Sun . 

security . provider . 2=com. sun . net . ssl . internal . ssl . Provider 

4. Save java.security file. 

5. Install Text Pad 4 (latest available version) on requesting server. Other text editors tend to add 
unnecessary carriage returns to certificates. (Software can be downloaded from Textpad.com) 

6. The system variables on the requesting machine must be edited. Perform the following steps: 

a. Go to requesting server's Control Panel (from Start Menu). 

b. Click on * System'. A 'System Properties' window will appear. 

c. Click on the 'Advanced' tab. Next, click on the 'Environment Variables' button. 

d. Find 'Path' under the 'System Variables' list box. Select 'Path' and then click the 'Edit' 
button, which is displayed below the 'System Variables' list box. 

e. An 'Edit System Variable' window should now be displayed. Append the following line 
to the end of the items listed in the 'Variable Value' text box: c:\jdkl.3\bin. Next, click 
'OK' and exit all Control Panel windows. 



4.4 System User Certificate Approval (Step 9-12) 
4.4.1 Overview 

The RA Administrator will receive the System Account List from the LDAP Operator. For new the system 
user requests accounts, the information in this list should be compared against the certificate requests that 
come in from the remote system administrators. If the data matches, the request should be approved. 

Look for the following data to match: 

• Server name (listed as Common Name (CN)) provided in the certificate request 

• Contact info of Requestor (Name, email, phone number) ~ 

After the certificate request has been approved, the certificates for the system user will be published to the 
LDAP database automatically. The Activated System Account List should be sent to the Arterium Security 
Administrator for verification. 
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4.4.2 Step-by-Step Process 

1. Receive the System Account List via secure e-mail from the LDAP operator. 

2. Login to the Approver's RA Site (https://www.cardmanagement.citibank.com:8100/arterium). 

3. Search for a specific certificate request or leave the search field blank and view all requests pending 
approval 

4. Once the desired request is located, he clicks on the 'Details* link 

5. Compare the certificate information to the System Account List to make sure the following 
information matches: 

■ Server name (listed as Common Name (CN)) provided in the certificate request 

■ Contact info of Requestor (Name, email, phone number)information to the on-line certificate 
requests which are posted to the RA server 

6. Make sure this system user exists in LDAP and the Common Name is equal to the FQDN entered in 
the request (i.e. badgingstation.sun.com) 

7. Choose whether to accept, reject, or cancel the request. If he approves it, the certificate is generated 
and automatically published to the LDAP directory. 

8. Send the System Account List, now called the Activated System Account List, to the Arterium 
Security Administrator via signed and encrypted e-mail and state in the body of the e-mail which 
requests were accepted or rejected. 

4.5 System User Certificate Verification (Steps 13-14) 

4.5.1 Overview 

The Arterium Security Administrator needs to play the "checker" role of the system user account 
generation process. The Arterium Security Administrator should verify the correct accounts were created 
and then notify the requesting organization Program Administrator that the requested certificates are ready 
for download. 

4.5.2 Step-by-Step Process 

1. The Arterium Security Administrator receives the Activated System Account List via secure e-mail 
from the RA Administrator 

2. Use the Agent Services of the Netscape CMS to list the certificates created by date. Verify the proper 
number of certificates were created. Please see the "Agent Services" page for the "Certificate 
Manager" in the "Netscape CMS Administrator's Guide" for instructions on how to list certificates by 
date 

3. Notify the requesting organization Program Administrator that the requested certificate is available for 
download. This can be done by sending them the Activated System User Account list, or by a simple e- 
mail notification. 
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4.6 System User Certificate Retrieval (Steps 15-16) 



4.6.1 



Overview 



The Program Administrator should notify the System User Administrator that the requested certificate is 
available for download. The System User Administrator should perform the download of the certificate to 
the system. 



4.6.2 Step-by-Step Overview 



1. The Program Administrator receives notification from the Arterium Security Administrator that the 
requested certificate is available for download 

2. The Program Administrator notifies the System User Administrator to retrieve the certificate. 

3. System User Administrator then returns to the RA website to retrieve the certificate. 

https://www.cardmanagement.citibank.com:8144. 
a. Click on the ' Retrieval ' Tab. 



b. Enter the Request ID and click 'Submit'. 
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c. The certificate listing will appear. Click on the * Issued certificate' serial number to display 
the actual certificate. 
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d. Scroll down to the 64 encoded certificate. 
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e. Copy the entire certificate (including the BEGIN CERTIFICATE and END 

CERTIFICATE lines) and PASTE it into a text file on the server. 

NOTE: the java utility 'keytooP is very picky with the text files it processes. It is 
recommended that, when using a Windows/MSDOS-based PC platform, that the certificate be 
pasted into a text editor that supports UNIX-style encoding (i.e. removes the carriage return 
character ^M* from the file). An example of such a text editor isTextPad (available from 
http://www.textpad.com ). 

2. Import the server certificate (signed by the Citibank Root CA) into the keystore (or file-based 
certificate DB) using the respective utilities/commands. For Java-based keytool keystores, the 
command is as follows: 

keytool -import -v -alias clientkey -file < name /location of text 
file containing signed server cert> -keystore <name/ location of 
keystore file> 

i. Enter the password when prompted. You will need to save this password for future 
use for certificate renewal. 

ii. If the import is successful, the following will be displayed: 

Certificate reply was installed in keystore 
[Saving <name/ location of keystore file>] 

3. Now that the private key has been generated, the signed public key (certificate) and Root CA 
certificate have been imported, the keystore is now ready for use with the LCMS XML messaging 
interface. 
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5 LCMS UID/Password Issuing Process 

The following diagram shows the overall process for LCMS UID/Password Issuance. 
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Each of the steps and the utilities and programs required to complete the steps are described in the 
following pages. Here is a summary of the steps and the sections in which they are described: 

1. Account Request and Approval (Steps 1-3) - Section 5.1 

2. Account Request File Processing (Steps 4-7) - Section 5.2 

3. UID/Password Account Verification (Steps 8-9)- Section 5.3 

4. UID/Password Account Distribution (Step 10)- Section 5.4 



5.1 Account Request and Approval (Steps 1-3) 

See section 3.3 for Account Request and Approval information. 
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5.2 Account Request File Processing (Steps 4-7) 
5.2.1 Overview 

The Arteritim Security Administrator is not responsible for approving access requests to Arterium. This 
responsibility lies with the Business Manager. Once the Arterium Security Administrator receives the 
signed and encrypted ARF from the Business Manager, this means the requests have been approved and are 
ready for processing. The Arterium Security Administrator should review and log the account requests, and 
then send the reviewed file to the LDAP Operator for import into the Arterium LDAP directory. 

The ARF is an abbreviated form of an LDIF file. The ARF must be converted to a full LDIF file before it 
can be imported into the LDAP system, to create accounts for pre-authorized users. The LDIF File 
Generator utility is used to create the full LDIF file. 

The LDIF file created by the LDIF File Generator utility must be imported into the LDAP to create the 
accounts for pre- authorized users. 



5.2.2 Step-by-Step Process 

1. Follow Steps 1-12 in Section 3.4.2 

2. Separate out the UID/password user accounts from the Account Request file. These are those with the 
roles sunHelpDeskOfficer and HostingAdminOfficer. Save this as a separate file. This file is now 
called the Activated UID Account List. 

3. Send the Activated UID Account List to the Arterium Security Administrator via signed and encrypted 
e-mail. 



5.3 UID/Passw/ord Account Verification (Steps 8-9) 

5.3.1 Overview 

The Arterium Security Administrator needs to play the "checker" role in the UID/password account 
creation process. The Arterium Security Administrator should verify the correct accounts were created and 
then send the new account information to the requesting organization Program Administrator. 

5.3.2 Step-by-Step Process 

1. The Arterium Security Administrator receives the Activated UID Account List from the LDAP 
operator via signed and encrypted e-mail. 

2. Verify the correct accounts were created 

3. Send the Activated UID Account List to the requesting organization Program Administrator via signed 
and encrypted e-mail. 

5.4 UID/Password Account Distribution (Step 10) 

The Program Administrator is responsible for securely distributing the new UID/password information to 
the correct end users. The Program Administrator should securely archive the Activated UID Account List 
for future reference. 
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6 Certificate Re-Issuance Process 

6.1 Overview 

The client certificates issued for LCMS Admin Cards and System Users will periodically expire. When the 
certificates expire, a new certificate must be generated and download to the LCMS Admin Card or the 
remote System. The process below describes this certificate re-issuance process. 

6.2 Certificate Check Cron Job 

This is a design for how the certificate check cron job would operate. The actual script to run and the cron 
job would need to be developed. 

Once daily, the cron job on the RA will start up a PERL script (CertCheck .pi) to notify end 
users that their certificates are soon to expire. The users will be targeted by their role. 

The LDAP directory will be referenced for each user with a given role. The certificate will be 
accessed and the expiration date will be gleaned from the certificate. The user's name (cn) will be 
accessed from the LDAP entry as will the email address (mail). If these attributes do not exist in 
the LDAP, then they will be gleaned from the certificate. 

The current GMT (Greenwich Mean Time) will be compared to the expiration time of the 
certificate. One week prior to certificate expiration, the script shall start sending emails to the 
certificate owners advising them that their certificates are soon to expire and will direct them to 
the RA web page for automatic renewal. 

Multiple versions of the PERL script can be run by multiple entries in the crontab, each targeting 
a different role. Modifying the entry in the crontab can change the granularity of the notification. 

6.3 User Notification 

When the user's certificate is soon to expire, they will receive an email to remind them to renew their 
certificate. They will receive an email once a day until they complete the renewal process. 

The email may have a similar message as follows: 
Dear Elvis Schmendekamp, 

Your Certificate is to expire on August 24, 2001. Please renew your certificate by 
visiting https : //testca. tti . com/UserRenewal .html 
Thank you. 

The user then may connect to the web page by clicking on the link name 

(https://testca.tti.com/UserRenewal.htmn . It is important to complete this process before the certificate 
expires so that no loss in LCMS service is experienced. 

6.4 Certificate Renewal Process 

1. The user connects to the web page by clicking on the link name in the received email reminder 
(https://testca.tti.com/UserRenewal.html) and will be directed to click the "Submit" button. 
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2. The user will be prompted for a password. If the certificate is stored on a smart card, the user 
should enter their Card PIN. If the certificate is stored in the browser, this is the password to the 
certificate storage database on the system. The user should enter the PIN/password and click 

"OK". 
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3. The user is then shown a list of certificates that can be renewed by this Certificate Authority. 
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User Certificate Renewal 
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4. The certificate to be renewed should be selected by default. Verify the correct certificate is 
selected and then click the "Continue" button. 

5. The user may be advised that the certificate is expired. If the certificate is still valid, the user will 
not encounter this screen. The user then clicks the "Continue" button and the certificate request 
will be processed. 
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User Certificate Renewal 
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After a small delay, the certificate will be processed and the following screen will appear: 
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Renewal Success 

Ccr>srofculatiecG> yc.r certificate r>cs been successfully renewed. 
Yc-cr renewed certificate in Ba&e 6a eraocted fcrnr 
— eesi» ctsjinc&Ts 

KIIO M/ZCAh* gXwtB A«3 C A>-cr*OQrji:_rih^_N AC C r a QAwNjU^^W:^ J.L«CihnCVV?4>: 
THE* rtXO BON VSv«i M TEOflc n PpZ ft ij v*rare : h b«*n 2<r *HhCfcMJE*W2M*MjA2liS.Ar 
r»6 yd vqrjjje *v C«E»*4Q T E<NT45C!5C^mSJ crn rg> « QE t B t.NH^SinjE bVBMS A 3 HE.* "*T5 

».Va2a XM*I W VUT C Vr V W I •* h"a**< CXTfJIic-Ih vcK iNQfe tS^rbJ^SBDYW^ZWQ-* 
9ifir*» DQ ?" JKC2 i f> v en Av.€ B BQ ADq Vli * MJGJUjOO BaJ NsriUSWBX -LqBsVfftSS ♦ ?EC<f»A 3S E 
d-Cftii-Ctti i wft - :i » M2*;rv r A2i-Ri_rvIm: 73 VR3x££Ck&? V 12Uf%CSbC30 evt£op 
I'pT *?.< T Qt5EQcrf**3C^3C< VVO W+S sOJrSy T 9 EK*?r C*jM>+<?+ 0Ff*VSp6 lv/e«fll 

^KUV Ebdr 7F pJ «wft. g KB* A-GjKsBtf KB" cOCVOj S AjG&-»£I B A.q Q E a >ir cDi-OCtf"*.* MQe& 

fi_ AwDQEMOMi 2 a«MAQ_5fiBrrf»fc K« DC C_ cO E-J bSD QE E&QO jAilB aCiB q Si^S bCS vFg ?+ 

ujm*wcyq&* qf? tao /a « acu u w^-ifl f v * 3 f f^is+a~ v_e r>r*?3 4 i po»_ s <aj & 

he-bfc5 5QJP r_5 ti eM « VJ lOr^.rsV.t* rrM !t3 us ct Dj)6 13G?cO 3 9 V ^(33 b ?J 

nti/o us f ft Pcrw8^8|#A»»03wr, feo« IX I li a Cq? r*3 wcviWKUe & 

ei,o cFrrrPic^TE 

CerttRC-te conteni. 

Version: v3 
V<sWityt 

tint Mtm: Tucw&v, lufv 3ft ii37i03 P« POT APf»alE-A^^n^6t 

E^_iicnt: 65S3? 

E0; 82530: K; IS 0£: 2f J CO; 98: W ;&S; ECH3t 
i»B 73?<0? CO? I&;l5*,64;BO;-«S; 4^.si*ri90-0S: *C; F&; PI ; 

lSi2a A,A:_Q:?E:9'4:FD:3li3*:iC: J8:»<4:3i':CiiCE:7Qi _j 

^5J«rs. "" " - ' 



7. The updated certificate is now on the smart card or in the browser. 
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Appendix A: Acronym List 



Acronym 


Definition 


CDL 


Card Data List 


LDAP 


Lightweight Directory Access Protocol 


LCMS 


Lifecycle Management System 


SSL 


Secure Sockets Layer 


CA/RA 


Certificate Authority /Registration Authority 


PKI 


Public Key Infrastructure 


LDIF 


Lightweight Directory Input rue 


PCL 


PIN Creation List 


CAL 


Certificate Account List 


PGP 


Pretty Good Privacy 


PIN 


Personal Identification Number 


ACI 


Administrator Card Issuing 


UID 


T Tcp»r TF> 


HSM 


Hardware Security Module 


CSR 


Customer Service Representative 


XML 


Extended Markup Language 


LDAP 


Lightweight Directory Access Protocol 


CMS 


Certificate Management System 


ARF 


Account Request File 


ACL 


Activated Card List 


SAL 


System Account List 


FODN 


Fully Qualified Domain Name 
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Appendix B: LCMS Network Service Requirements 



CA/RA Architecture 
Diagram 



Hosting Facility 



vl. 5 
12/12/00 




Arterium Login/ Acc ss 

(via HTTPS - por s 
vary based on SSL ype) 



Access to RA 
(via HTTPS - port 8 44) 



Client 



RA Certificate Request 
CA Returns Signed Certifjcate- 
(Via 443) 



] B 



Certificate Authority 

Ports:389 (LDAP) 

443 (HTTPS) 
8100 (CA Admin) 



Physically 
Secured 




Publish cert to LDAP 
(via 389) 



HTTPS & Appl. Server 
(RA and Weblogic (WLX)) 

Ports Required: 
389 (LDAP - for RA&WLX) 
8144 (SSL - for RA) 
8100 (for RA Admin) 
443 (2-way SSL - for WLX#1 ) 
7001 (1-waySSL-forWLX#2) 



Tier I / II 



Query LDAP (via 389) 
Query Orade {via 1521) 




Database Server 
(LDAP and Oracle) 

Ports: 

389 (LDAP - for CA/RA&WLX) 
1521 (Oracle -for WLX) 

Tier III 
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Appendix C: LCMS Certificate Based Access Control 

The following diagram shows the messaging flow for a certificate based authentication to the LCMS. 



Client 



sends LCMS cert and requests 
^Client Cert 



\ CUen 



LCMS 



• Certificate of LCMS's CA 

• Client Private Key 

• Client Cert issued by LCMS's CA 



0. Client Initiates Connection 



-J 



2. Client checks that LCMS 
cert presented was issued 
by a trusted CA 



LCMS LDAP 



• Certificate of LCMS's CA (Self signed) 
LCMS Cert issued by LCMS's CA 
LCMS Private Key 



Server Authentication Failed 
(cert issuer not trusted) 



3. Client sends his Client cert 



-J 



Client Authentication Failed 
(certs do not match- cert 
issuer not same, user info 
inconvct) 



r 1 - 



Proceed with 



login / communication 



- Copy of each user Cert Issued by 
LCMS's CA 



4. HTTP server checks that 
Client Cert was issued by 
a trusted CA 



5. HTTP server delivers 
Client Cert to SoapServlet 



6.Servlet extracts UserlD 
from Cert 



Client Authentication Failed 
I (cert not issued by CA 
trusted by LCMS) 



7. Request stored Cert for UserlD 



Cert was revoked fj 
(Cert is in CRL) l 



a 



9. Returns Copy of Client Cert 



10. Servlet compares Client 
Cert with copy of Client Cert 



8.LOAP checks for UserlD 



9. LDAP fetch copy of 
client Cert 



Citigroup Confidential, Copyright© (2000) by e-Citi, Citigroup 
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Appendix D: Test Environment LCMS Admin Card Issuance 

1. Create a new user in the test LCMS LDAP directory 

2. Launch the iPlanet Diectory Server console. Click on the 'Directory' tab to access the LDAP user 
directory. 

3. Click on the root folder (i.e. CDCLA) and from the menu bar, select 'Object->New->User' 

4. The following screen will appear. In the following example, a user by the name of santa monica will 
be used. Fill out the edit entry screen with the information about the new test user: 

■ First Name - First name of intended user 

■ Last Name - Last name of intended user 

■ Common Name - Organization identifier and last name of user in the format of org-lastname. (i.e. 
citi-doe) 

■ User ID - enter the same as the common name 

■ Password - enter "citibank" this password is not used by the user for login 

■ E-mail - not required, but enter e-mail address of intended user if it exists 



. * s&rita manic* 



; LicansflTT. 



*>Hst Warns: JSSTfiS 
* Urt Nam* j™nk* 



** Common Mamc^j; \v*ti» £3?™°* 



*US*rlDl jscmto """" _ _ " 

J?9S5W<Cf<i; p * ** r,» r* *A»*3» r»** » * « r* «t* k* < a* ** 



s ■ 

} 

, ^ '^. r ^" ^TZ T/"'" _.l "'- " '^"2" " " j» 

fi ** i «d tfcafces a requ red ^Hqfisf 



.ftccass Paring sons Usfip [ ; j^a^ 1 ^ J " Q& | Cancat j | HcJp 



5. Click on the 'Advanced' option to add additional attributes required by Arterium. The following 
Property Editor screen will appear: 
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dfi 



p rope r ty .Ed i to r - san ta mon i ca 



File Edit View 



ipnoscntrmoer—j - fx 


last name 


momca 








person f 


Object class 


organizafconalPerson |! 




tnetbrgPerson j 




artperson }• 


Password j ******************************* 


role 


atiAd mm Officer 







iT^^K | : Cancel [ Ip^Help ] 



6. Right click on 'Object class' and a menu will pop up with the following 4 options: 



Delete Attribute 


Ctrl+Q- 


.Add Attribute 


Ctrl+A 


Delete Value 


Ctrl+E 


Add Value 


Ctrl+V 



7. Click on 'Add Value' and select the "artperson" object class from the menu provided and click 'OK'. 

8. Right click on 'Object class' again and now select the 'Add Attribute' option. 

paWtl^aflbirt¥~~ CtrTOH 

j Add Attribute -Ctrl+A j 

; Delete Value "ICtrl+ri 

1 * Add Value j£U&J 

9. In the attribute list that appears, scroll down until the entry ' iphostnumber' appears. Select this item 
and click 'OK'. In the entry field, type in '*' to allow the user access to Arterium from any IP address. 



iphostnumber f** 



10. Select to 'Add Attribute' again and this time select 'role' . For the role, enter in the designated 
Arterium role for the current user request. Select either citiAdminOfficer, sunBadgingOfficer or 
Vendor 



role [ 



1 1. Repeat the previous step for the 'defaultpartition' entry. Enter in the designated card partition the 
current user has access to (i.e. 'sun' for access to the Sun card database, and 'citi' for access to the 
Citibank card database.) 

12. Once the iphostnumber, defaultpartition, and role entries have been added and populated, click on 
'OK' to complete the creation of the user entry. NOTE- The user information (especially user name 
and ID) entered into the LDAP database for this user must match EXACTLY the information that is 
submitted in the certificate request. The CA uses this information to publish user certificates into the 
correct LDAP entry. 
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13. Using a PC with ActivCard Gold 2.0 and a reader installed, initialize the new Admin Card according to 
the Gold instructions. Note the Card PIN and Unlock Code. 



14. Connect to the test RA server URL: https :// hostname. of.RA . If this is the first visit to the website, you 
will be prompted to accept a site certificate. 



lit New Site Certificate 

jovabort&ei is o site Hiatuses encryption to utotect tt onsomt ed 
inforroatfotK However, Netscape does tiot recognize me authority who 

liurtod hi Certificate. 

Atthgugh-MPtccapa cfact not rccognizo the sign©? of thVcortifcatp; you may 
deads ta accept it anyway so that you can connect ta and exchange 
nftonation'Wth 1his site,' 

Thfs »astanV Yrtll hdp yQw tlcciiio vtfwiher cr rioVyou wtsh to accept ihis 
Certificate and to what exteni. 




15. Follow the instructions and click 'Next' until prompted to click the * Finish* button. 



16. Once the certificate is accepted, the CMS Registration Manager page will appear. Fill out the Manual 
Enrollment form. 



If r ; ' i ; a " .. u I, ^ m.r' M 



fr ry« # ffewV'g tA'r>^ jjffqtwiwm-j%-VCfl!fc» J^^J^M $ Ofr»* a? fic^' gjfgggf j# 



Brovser 



eln 3 ' 

Server_ | 



[Dthcr _ j 



Manual Enrolment 

Use ifts form to submit a t&Quasi far a person^ certificate. t>ev. tte Sufcmrt button, yout rsqyss?. *Jl t« subrrtctsd 

to en "esorig .sow* for approval: When a>n issiing agent haj. approve* your reqiiest you vi% receive «he ce-rtifiira'* n ema«= 
■sfeng yrrth rretmctians for nstsllpg it, 

hmportflrtf; Se *i.re to request your cenifeate cn saw cwjutef on which >^y pian to us* the crrtifcaie?. 



User's itMJrtity 

&iter vdiie> for the fieids vnu want to insre in your certificate. Vour ate may 
you to tit ri certain nads. 
- required RaU) 



Orc»rit2atcn unl: 
Organi2auari: 

Counrtr/; p^; 



NOTE: The Full Name MUST match the Common Name LDAP directory entry, and the Login Name 
MUST match the User ID LDAP directory entry. 
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■ Full name = Full Name of user of Test LCMS Admin Card 

■ Login Name = Login ID of user of Test LCMS Admin Card 

■ Email address = Your E-mail address. This will be used to send you a notification that the certificate is 
ready for retrieval. 

■ Organizational Unit= Citibank (should match what is established for LCMS) 

■ Organization= TBD 

■ Country = US 

17. Once the form is completed, click on 'Submit' to send the request. 



MWfrtt&r 



ftc% ponder 

Other 



Public/Private Key Information 

wftsn you sfcfcrfnit ttis fee?*, frovset gsnarsies d pri*sta Mev and s pubic key . ft 
retains me povate fcey anc* ajCwilts tha puWfc fc:ey aten@ with yosr fgq^est ftr 3 
certtGcata. rue ^UbMc ley beccrnss part ar the certificate. 

§ef*cc me length or ttre asy m gemote* Tft<& fewer me t;ey &^</t. me greater me 
stream. ?cu may *«n*. to chec* voir sys-tem a<b«f^ist»foi atoui tl>* fef^ih or 
»:ey to spec^ty. 

Ktey Length; 




18. At this point, a private/public key pair will be generated. Select where the key pair is to be generated. 
Select the ActivCard database for keypair generation on the card. This step assumes that the ActivCard 
software has been installed and is operating properly. 



Grace ate A Private Key - Netscape 



# Generate A Private Key 

t^firt.yQu dick ac, Commnric^tor will gerteratie a Pmtate Key for your- - 
Cartifcaitf. This may. • Fuw mnutsfE. 

important: If you interrupt this process, you will hove 10 reapply 
t or tfts Certificate. 

- 3 database you wish to generate your key 1m 



OK 1 Cancel ) ' 



19. Once the key pair has been generated, the certificate (public key) associated with the certificate is sent 
to the Registration Authority (RA) as a certificate request. A page will appear verifying that the 
request has been sent and is awaiting approval by the RA Administrator. 
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_ ... _S __l 3 A." 



41 



Maiw»i_J 
Qim_____' 



Request Successfully Submitted 

Cc--^-a^4<i>vt. t «* «*c***t 0«k« Si'ic-KrM't attomitt-d to the R_g_t>_t^ Ma*ag«r Vc-..' -«qo«t ->! prc-:«5_ec 
*r*'. in .mfi.n-.u rou writes *m vdiaata* in* wofthau... vom i*Gu<m. 

requesl is 91. 

¥c_r ear. efrwc* an IH* statu- >«w i-qweat V>UN autlwbe- sgont er »_«_«- admina tarter by f_ferr-ig »» thw roquet ID. 



20. As the "RA Administrator" connect to the test RA server. URL: https://hostname.of.RA :8100. If this is 
the first time visiting the site, you may be prompted to accept the site certificate. 

21. Follow the instructions and click on 'Next' until you get to the last dialog box with the 'Finish' option. 

22. After the site certificate is accepted, Netscape will then send your CMS Agent certificate to the RA. If 
the user bound to the certificate is not authorized to manage certificate requests (i.e. serve as an 
authorized agent of the CMS) the user will be denied access to the CMS Agent Services page. 

23. Assuming that the user has been issued a valid Agent Certificate, after the site certificate is installed, 
the Netscape Certificate Management Sy s tern . A gent Services scree 




Edit _>w go Communicator Hdp 



Home 



Jmmi> Reload 



■ Jfc ' -fit - c* ' 
Seatprv Netscape 7 : 



Security. Shop 



fejr^*ffoofanaiks Nebite:pips://iav-b-dge1:810t)Atnoe)( ~ 

|$~ Iffinte* Mes^je" 'gj WebWai _g Radio §) Peojte " W Yellow Pages" "B^ bqwtoad §p Xdendar £_ Channels 



gfiSy What -Related 



Netscape® ; frr , . 

> Certificate, Management Agent Services 

■ System" .V'. .:' ■' 



a Registration Manager Agent Services 

The operations available through this menu are used to process 
certificate requests, revoke certificates, and update information in the 
directory server. 

_a Services Summary 

Copyright (c) 1998 Netscape Communications Corporation. 



24. Click on 'Registration Manager Agent Services' to access the certificate requests. 

25. The 'List Requests' page will appear. From this page, the authorized agent (RA Administrator) can 
access a single request (using the request identifier issued to the user requesting the certificate) or a set 
of the most recent requests (by indicating a specific number desired). 
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[lh |c*_ ^tw (jo frywircran tltt» 

1 <B»* 



j£ iaj -j. & j& 



cprtifjcate Manaspniftrtt Agent Services 



|f Ftagls*ratkm Manager ^ 

Usl BaauBKU ! ! List Requests 

Use K\is farm to show A \n\ pf certificate rsquosts. 



E*qLA»i «itus: j Show pendn^ reqi»rt> 



StaCChg t'*qu&St iCtentUla ■{ T~ 



26. In this example, there is only one certificate request that is pending approval. Click on 'Details' to 
view and manage the certificate request. 



' Registration Manager 1 



ftequost Q«<kio 

Tot a! Nu'flbsr of R*cc*t*s Found ; 1 



Type . 
enrol iTOflt 



E-surfrfttStedcla.con-i, CM-Jarrv genoac, Ut£>-larr,rg, 





. 1 


5 "^ " v a .4 ^ a • § s M- 

^ B«K' ^-r.t) RttaWI Bpr* -He«*t«» *-m SecMft -She* • . *N>.- 'MKK 






$?" ^in^i-fcttsaQ* W5*Hil Rate giW«*i ^ WtowP*S?es ||| Dwrfta) Gttftdai ^j OkM^;,. : « '* • 


C$»rttflca«-BMAna9<»«ttei« Agent .SerVleeS 





4ssigo*d to 

i.^dawri. by - 



DETAILS SCREEN: 
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Certilc-HAe M«r»«.jemeo*. • Agfcflt S«ryte<&S ' 
Systran 



I 



■•jigLggnuEals ! | Request 127 



Status* (i*fidr»3 
rypcr enrolment 
Azugncti to: ifiassiyted 

Certificate type; dienj 

^ifest £ n~ ij ^ t e r > " ' 

5*jt0tC» iiaff^f jc^'r'klr.lBc^eJ^ . «»* «W- lanry ™" 

AJsoftlbm; R5- - 1.S.8404.X-549, 1,1.1 

FubltefSE-yi SO;6i;89:0£:8u9i;O0!^D:£6^:9E.;EliFCiO3r.3Bi35i 
CD:6A: E2!?0: 37: Da: £2: IT: D3: Al.:23 :05: 8E: 0C:4D : A3: 
91? F4; 41: BB:F0 :8D; 24; 6^:50; 22: 1C>: E&:2P;e£;SB; 06; 
13; Dl : ?5: TliJEi 0E; 9B €& 46: 15: 4 1 s 36!EA.;Ci :62: CS: 
C7:F5 :£E: SC: FS: 7B :Sfi: 41: OF: CO :Cfc: Dfc: iS: 7F ; 30: OK; 
63: 31- BC- 9tfc 34; 62; 7&: &: :C?: 69; SS: £*;3l; 24= 

FO: OC :6S: 0?.F7iB&:4£ $SD: 37:33 { 77s 60s fiF-i Dl : 57: 4-<; 

.53: CO :T3: CC; 77: AY:37 :SF: 6£: 27: BE: 53; CO:A4: &3: 20: «C;AB: 50; 25: B2: 24:©&j02 s03: 01: CO: 0 1 



J 



v«n»Ky: 



not «id jfO] ]pcu.ts, NJ fap3D;fj |i? _] 003 
vafcl after, |». *J |p«iaber . [il |3EM _J |V ? ._J (1~_3 Ml S3 



iczt: 



Jl 



27. If necessary, Click on * assign to me' to assign the request to yourself. Verify the user information in 
the request with the information you provided during the enrollment phase. 

28. Scroll down to the bottom of the page. Select 'Accept this request' and click on 'Do it' to accept the 
request. 
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" 






c&nait^tQ'MOTBgfiment . Agent Services 




Sy-kt&rn 










t«4«JMimt#*. C CO] 

KkiMifiw.faj - Ob{*n:rfi ^. l S.MO.J.ilJ?ifikU C'tt calcy-lili* 



«*Yltfefitfief t 



r TNe c«tfficar* k for* .-at Cegtstcatiun Manager agant 



New Us*r ID fcr the h^ya 



29. The request is then sent to the Certificate Authority (CA). The CA will sign the certificate request and 
return it to the RA. A copy of the certificate is published in the LDAP database in the 'usercertibinary * 
field located in the certificate requestor's LDAP user entry. 

30. After the CA completes the publishing process, a verification screen will appear, and the RA 
Administrator can view the details of the issued certificate. When the RA receives the certificate back 
from the CA, an e-mail is also sent to the certificate requestor indicating that the certificate is ready to 
be picked up. 



31. After the certificate request is approved and a certificate issued by the CA, the e-mail address listed in 
the certificate enrollment page will get an e-mail similar to the following: 
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Tot eltcT*po3cb.«cn 



All automatics I ly generated notification from to 

Y(?m ccrtiSc^e- treque&bai betftfjrocesstd Pieces sfinty. 

SubjcctDN^ E=eltoa3@«<J<Ia.coDi,CN=CCTijiif.a» Manager,0=CPCI«A,C=llS 

IsjixtBH- CN-Certificate Mnna ger.GU-Ciribank.O CDC t A,L-LA,ST-Califanua 7 C-US 

iwtAfcr= 26-Oct><H 10:36:44 AM 

! Seiialb3umbBr=Ox42 



To g-tyom ctrbficale. please fclcw fas UEX Please contact yc4ir 2»dniin if tixrie ir any proUetn. 



T3 

I 



4 



1 



32. At this point, either click on the URL in the e-mail or return to the RA page ( h ttps :l f hostnam e. of.RA ) . 

33. Make sure the new test LCMS Admin Card is inserted in the reader of the PC. 



34. When returning to the RA page, the following screen will appear. Click on the 'Retrieval' tab and 
enter the request identifier that was given when the certificate request was sent. This screen will be 
bypassed if the user clicked on the URL in the e-mail. 



EES 



<* Sack -i £■ flt**J «c*-* Be*** . He»<f«p8 WW. jifc ufr &hcf> • 



ctwckR«q»B^t deck Request status 

^Stai&tf ! iJsa fbr1,h *° warifj status of the specified certificate request. 

^ eaquast ioar.tjfiar: £T~ 
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35. If a valid request identifier is entered, the Registration Manager will return a screen with the completed 
request. NOTE, clicking on the URL in the confirmation email will bring the user directly to this page. 







£ Badk fitted M>« Se*c*> «b«j«oj fcr* S«u*y Stw 








*: ufcsrTi ^IfGae |f UTtet £1 CHMaw, ^1 Yodfce j§ Autftfati gOWf ^Ftedlifc $J h« He*™* g Hr<fl* | 




1 


ci»«* tseauest ! Reauest Status 




iropnrt cA j Request: 21 
&iUfiEflte [ SJbfrt'uBd a-,: iiV*y20Qi) iS:ifl;3S 
<P$&Sk.-> -| Status; «*«ip(Btt» 
j Iran ad certificate: CUSUUMiZB 





36. Click on the certificate serial number to view the details of the certificate and to verify that it is the 
correct certificate. Once the information is verified, click on 'Import Certificate'. The certificate will 
be loaded onto the card automatically. 



■ -igfx| 



5e*c*. 



m 




In ipnrt CA. 
Chain . 



Tl m fcllOfig format cart bs used to irctaif this certificate into a servar. 
eiotrj eEtrrricm 

B I ICS JCv US yj.? I Btjt eijlWBglajtikiGSwtJ 5 aQUF Km ■rtH soSOTT'tfOOG E "oJVO SET 
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37. The certificate issuance process is now complete, 

38. Attempt authenticating to the test LCMS system with this new card to verify it is active. 

39. Mail the test LCMS Admin Card to intended user 
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40. E-mail card PIN to the intended user 
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